One person - several FAS accounts? (was: bodhi abuse?)

Mike McGrath mmcgrath at redhat.com
Sun Aug 31 03:36:19 UTC 2008 

On Sat, 30 Aug 2008, Seth Vidal wrote:

> On Sun, 2008-08-31 at 00:57 +0200, Michael Schwendt wrote:
> > On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote:
> >
> > > I agree with Michael about 10^10%.
> > >
> > > FAS accounts should be only one for each user. If there are needs for
> > > having several accounts for one person, these needs should be
> > > explained and either the FAS system extended to cover these cases, or
> > > special cased by whatever entity (fesco, fab, Fedora infra team?) is
> > > authoritative.
> > >
> > > Isn't there perhaps already some texting that one needs to click
> > > through that has the user sign that he will use only that account?
> > > Otherwise could someone add this?
> > >
> > > Besides bodhi fake voting this can even be used for fab/fesco fake
> > > voting (although it is probably harder to mark several
> > > same-person-accounts as packager accounts w/o anyone noticing it)!
> >
> > Just for the record and because my original post went to fedora-buildsys-list.
> > I've stumbled into suspicious voting activity in bodhi, such as:
> >
> >   https://admin.fedoraproject.org/updates/PackageKit-0.2.4-6.fc9
> >     (pending)
> >
> >   +1 acottle - 2008-08-27 22:24:21
> >   +1 auscity - 2008-08-27 22:24:46
> >   +1 dcottle - 2008-08-27 22:25:11
> >
> > There are more like that from those users. They have several things in
> > common. Never any comment except for sporadic words (or discussion with
> > other voters) from dcottle. Just the +1. Usually at least two of these
> > accounts vote in bodhi at the same time (i.e. with a delay of approx. 20
> > seconds like above) and always on the same updates for both F9 and F8.
> > It is often voted on pending updates, where downloading from koji is
> > necessary.
> >
> > You can learn in one of dcottle's comments to a kernel update, where users
> > use bodhi to chat a bit, that his daily routine is to look for new builds
> > "in koji" in the morning hours. And yet it's three accounts that vote at
> > the same time on the same updates.
> >
> > Of course, I'm paranoid. ;) Of course, this is not the same person
> > behind those accounts. One can imagine how they sit next to eachother
> > and practise voting in bodhi at the same time several days a week
> > for every update they try. :)
> >
> > So, ... FAS confirmed that users dcottle and auscity are the same person
> > (actually with the email addresses swapped to make the connection even
> > more obvious), and acottle shares the surname *and* the domain name in the
> > email address.
> >
> > After I had mailed the three users and the list, I've received four angry
> > replies from the person trying to explain that the multiple votes are done
> > because the updates are tested on several machines.  About an hour ago
> > I've received a rude reply that mentioned the obvious possibility (or is
> > it a threat of what to expect next?) of "registering countless hotmail,
> > yahoo or free accounts and commenting all day long" and a pool of 64 IP
> > addresses in order to conceal the activity in bodhi.
> >
> >
> > It's great that dcottle (David Cottle) has been such an active update
> > tester, who's listed somewhere near the top of bodhi's new metrics. Yet,
> > spending +3 karma points instead of just one should not be done with three
> > accounts. Superhero testers (especially those who really test
> > hardware-dependent updates on lots of different hardware) could gain extra
> > privileges in bodhi or be marked as VIPs in the future. I'm sure something
> > can be done to reward them for their contribution and to aid package
> > maintainers in deciding what level of testing an update has seen.
> >
> > However, all I see so far is an attempt at raising karma in bodhi in the
> > hope that the updates will be pushed to stable sooner. And that is
> > foul play IMO.
>
> Yes, This seems like a real problem to me.
>
> Thanks for the heads up.
>

If this becomes a real problem (or if it is already) we can just create a
policy against this sort of thing and enforce it on a per complaint basis.

	-Mike

More information about the fedora-advisory-board mailing list